Hikvision Upgrade Breaks ONVIF VMS Integration
By Ethan Ace, Published Oct 31, 2017, 11:32am EDT (Research)Comments (53)
At this point we’ve installed thousands of Hikvision cameras. It’s too bad I have to subscribe to the IPVM blog to get news about Hikvision updates. While we typically test new firmware ourselves for stability with the VMS and read through all documentation prior to deployment. I may have spent hours trying to figure this out.
Great reporting by team IPVM once again. Making my membership well worth it. Moving away from Hikvision over the last two years was the best decision we’ve made.
Is there a way to mass configure the enabling of ONVIF? I ask because if my customer has a few hundred cameras deployed at their location, going back to upgrade for a vulnerability could knock all the cameras off the VMS. Having to go back to each individual camera would be a nightmare.
Now, to use Hikvision with ONVIF, ONVIF needs to be enabled and an admin account and password need to be created, as shown in the clip below. These credentials are used to add the camera to the VMS/NVR, not the usual admin credentials which have historically been used.
What if you create an ONVIF account named “admin” with the same password as the non-ONVIF admin account, before doing the upgrade as a way to minimize interaction and downtime?
wait wait you're saying OnVIF was enabled with no credentials? You've been running naked/unauthenticated OnVIF in your lab? Are you saying it is your assumption OnVIF is supposed to run with no credentials?

10/31/17 10:45pm
If it makes it more secure, than Im ok with it, regardless of the pain of additional setup. Although it is a doozy that it will break integration of already installed cameras.
Can you see if there is an option on the 5.5 for optional automatic firmware updates. Until they get this done, I wont get overly excited.
I think this is not a big deal at all. Simply use the next backdoor to create the required user accounts and set the right settings automatically.
Using 2 sets of user accounts is a bad idea IMHO. Also, they are doing this to increase security. This to me seems like they are bandaiding their system, without solving the problem. If they simply solved the backdoor from the API, then who cares if the API command for a ONVIF snapshot is still in the API. It is protected by a username/password. Once ONVIF is re-enabled, is the backdoor still removed? Does the API command still work?
Also, for Axis, I thought that it is whatever protocol is used first. If you first connect to the camera via ONVIF, doesn't it stay enabled?
Do they have complex password rules for the ONVIF user accounts. It is easy for an admin to change a camera password when need arises, but they forget about the ONVIF account, which could lead to unauthorized access.
You could use old ONVIF credentials that admins didn't update and use ONVIF device manager to change settings in the camera.
Yes, you can use Batch Config Tool v2.0.0.6 to bulk enable/disable ONVIF accounts.
Update: Network Optix Issues Notice
VMS developer Network Optix has issued a Hikvision v5.5 Firmware Fix Notice, citing this report, explaining that "Nx Witness uses ONVIF to discover, configure, and stream video from Hikvision cameras" and that therefore, upgrades will break VMS integration with Network Optix. Network Optix than explains steps to fix. Given that ~30% of Network Optix connected cameras are Hikvision, this could be a non-trivial support issue for the company.
Hikvision, they have all tried to bash you for this, but I would like to commend you on your forward thinking. I do not use ONVIF anyway, since all the VMS systems I use have excellant direct driver support. When I buy a new car, toy, or tool, I read the manual. Yup, I do. Same holds true for firmware upgrades. Who would upgrade without reading release notes. (sounds like IPVM did not read this before writing this article, and if they did, should have reported this at the beginning. That does not create conflict though, which sells subscriptions). Heck, most companies do not even provide accurate if any release notes. Also, who would be bulk updating a customers system before testing it out in the office lab/demo area. Okay, many do not have one. So try maybe one camera first.? When it does not work, THEN check release notes? Imagine that, when you download the new firmware, it forces you to also download the release notes. How does anyone not notice them in that zip file. This artcle should have been more of a congratulations than a regular Hik-bashing.
Look at the title of this article. Huh? Maybe something like “Hikvision addresses security vulnerability with ONVIF compatability”. Instead, IPVM seems to address the .01 percent of Hikvision cameras integrated through ONVIF to a VMS system and in those cases, the 1 percent of integrators or customers that do not read release notes, have not designed secure networks in the first place (so do not need to upgrade), or have not tested the upgrade.
Hikvision, keep up the good work. (I do get a little grumpy with this sensationaism article “titling” which brings out the Trump in every body. This site actually used to promote, advance, and educate in our industry with frequent positive collaboration. If you can believe it, manufacturers used to converse and provide valuable information to us. Really, Im not kidding. Now, this only directs them to the unemployment line).
Follow up item / discussion: Guy Spends $500 And Hours Fixing Hikvision ONVIF Upgrade Break

IPVMU Certified | 12/04/17 02:44pm
Got this notification from NX the other day. Here's their response to Hikvision breaking ONVIF. I would be curious to know how they did this and if other VMS will follow. I underlined and bolded the applicable line below.
3.1.0.17256 Video Management System
PUBLISHED 29 Nov 2017
Release Notes:IMPROVEMENTS
Audio output support for Sony SNC-CX600.
New AXIS devices support: P1367, P1368, F40-Q1765, XF60-Q1765, P40-Q1765, F34, FA54, M5525, Q8742, P1275, Q8741, FA1105, FA4115, P1245, P1265, F1004, M3048, F8804, P3375, F4005, F1025, F1005, Q3517, Q8685, P3374, FA1125, F1015, F1035, Q3504, Q8642, Q8641, XF60-Q2901, XP40-Q1942, XF40-Q2901.
Hikvision 5.5+ ONVIF automatic re-enabling
"Do HTTP Request" action improvements. Now user can specify request and autorization type manually.
Wow, make an onvif user, that is really inconvenient on a large job...
What is not documented here is that you must also check "Enable Hikvision-CGI" right above the "Enable ONVIF" box.
Additionally, the user you setup for ONVIF must also exist in the Configuration -> Usermanagement list. If it ONLY exists as an ONVIF user, it will not work.